1 <html devsite> 2 <head> 3 <title>UICC Carrier Privileges</title> 4 <meta name="project_path" value="/_project.yaml" /> 5 <meta name="book_path" value="/_book.yaml" /> 6 </head> 7 <body> 8 <!-- 9 Copyright 2017 The Android Open Source Project 10 11 Licensed under the Apache License, Version 2.0 (the "License"); 12 you may not use this file except in compliance with the License. 13 You may obtain a copy of the License at 14 15 http://www.apache.org/licenses/LICENSE-2.0 16 17 Unless required by applicable law or agreed to in writing, software 18 distributed under the License is distributed on an "AS IS" BASIS, 19 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 20 See the License for the specific language governing permissions and 21 limitations under the License. 22 --> 23 24 25 26 <p>Android 5.1 introduced a mechanism to grant special privileges for APIs 27 relevant to the Universal Integrated Circuit Card (UICC) owners apps. The 28 Android platform loads certificates stored on a UICC and grants permission to 29 apps signed by these certificates to make calls to a handful of special APIs. 30 </p> 31 <p>Android 7.0 extends this feature to support other storage sources, such as 32 Access File Rule (ARF), for UICC carrier privilege rules, dramatically 33 increasing the number of carriers that can use the APIs. For an API reference, 34 see <a href="#carrierconfigmanager">CarrierConfigManager</a>; for instructions, 35 see <a href="/devices/tech/config/carrier.html">Carrier 36 Configuration</a>.</p> 37 38 <p>Since carriers have full control of the UICC, this mechanism provides a 39 secure and flexible way to manage apps from the Mobile Network Operator (MNO) 40 hosted on generic application distribution channels (such as Google Play) while 41 retaining special privileges on devices and without the need to sign apps with 42 the per-device platform certificate or pre-install as a system app.</p> 43 44 <h2 id=rules_on_uicc>Rules on UICC</h2> 45 46 <p>Storage on the UICC is compatible with the 47 <a href="http://www.globalplatform.org/specificationsdevice.asp">GlobalPlatform 48 Secure Element Access Control specification</a>. The application identifier 49 (AID) on card is <code>A00000015141434C00</code>, and the standard GET DATA 50 command is used to fetch rules stored on the card. You may update these rules 51 via card over-the-air (OTA) update.</p> 52 53 <h3 id=data_hierarchy>Data hierarchy</h3> 54 <p>UICC rules use the following data hierarchy (the two-character letter and 55 number combination in parentheses is the object tag). Each rule is a REF-AR-DO 56 (E2) and consists of a concatenation of a REF-DO and an AR-DO:</p> 57 58 <ul> 59 <li>REF-DO (E1) contains a DeviceAppID-REF-DO or a concatenation of a 60 DeviceAppID-REF-DO and a PKG-REF-DO. 61 <ul> 62 <li>DeviceAppID-REF-DO (C1) stores the SHA-1 (20 bytes) or SHA-256 (32 bytes) 63 signature of the certificate. 64 <li>PKG-REF-DO (CA) is the full package name string defined in manifest, ASCII 65 encoded, max length 127 bytes. 66 </ul></li> 67 <li>AR-DO (E3) is extended to include PERM-AR-DO (DB), which is an 8-byte bit 68 mask representing 64 separate permissions.</li> 69 </ul> 70 71 <p>If PKG-REF-DO is not present, any app signed by the certificate is granted 72 access; otherwise both certificate and package name need to match.</p> 73 74 <h3 id=rule_example>Rule example</h3> 75 <p>The application name is <code>com.google.android.apps.myapp</code> and the 76 SHA-1 certificate in hex string is:</p> 77 <pre class="devsite-click-to-copy"> 78 AB:CD:92:CB:B1:56:B2:80:FA:4E:14:29:A6:EC:EE:B6:E5:C1:BF:E4 79 </pre> 80 81 <p>The rule on UICC in hex string is:</p> 82 <pre class="devsite-click-to-copy"> 83 E243 <= 43 is value length in hex 84 E135 85 C114 ABCD92CBB156B280FA4E1429A6ECEEB6E5C1BFE4 86 CA1D 636F6D2E676F6F676C652E616E64726F69642E617070732E6D79617070 87 E30A 88 DB08 0000000000000001 89 </pre> 90 91 <h2 id=arf>Access Rule File (ARF) support</h2> 92 <p>Android 7.0 adds support for reading carrier privilege rules from the Access 93 Rule File (ARF).</p> 94 <p>The Android platform first attempts to select the Access Rule Applet (ARA) 95 application identifier (AID) <code>A00000015141434C00</code>. If it doesn't find 96 the AID on the Universal Integrated Circuit Card (UICC), it falls back to ARF by 97 selecting PKCS15 AID <code>A000000063504B43532D3135</code>. Android then reads 98 Access Control Rules File (ACRF) at <code>0x4300</code> and looks for entries 99 with AID <code>FFFFFFFFFFFF</code>. Entries with different AIDs are ignored, so 100 rules for other use cases can co-exist.</p> 101 <p>Example ACRF content in hex string:</p> 102 <pre class="devsite-click-to-copy"> 103 30 10 A0 08 04 06 FF FF FF FF FF FF 30 04 04 02 43 10 104 </pre> 105 106 <p>Example Access Control Conditions File (ACCF) content:</p> 107 <pre class="devsite-click-to-copy"> 108 30 16 04 14 61 ED 37 7E 85 D3 86 A8 DF EE 6B 86 4B D8 5B 0B FA A5 AF 81 109 </pre> 110 111 <p>In above example, <code>0x4310</code> is the address for ACCF, which contains 112 the certificate hash 113 <code>61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81</code>. Apps 114 signed by this certificate are granted carrier privileges.</p> 115 116 <h2 id=enabled_apis>Enabled APIs</h2> 117 118 <p>Android supports the following APIs.</p> 119 120 <h3 id=telephonymanager>TelephonyManager</h3> 121 122 <ul> 123 <li>API to allow the carrier application to ask UICC for a challenge/response: 124 <a href="https://developer.android.com/reference/android/telephony/TelephonyManager.html#getIccAuthentication(int,%20int,%20java.lang.String)"><code>getIccAuthentication</code></a>. 125 </li> 126 127 <li>API to check whether calling application has been granted carrier 128 privileges: 129 <a href="http://developer.android.com/reference/android/telephony/TelephonyManager.html#hasCarrierPrivileges()"><code>hasCarrierPrivileges</code></a>. 130 </li> 131 132 <li>APIs to override brand and number: 133 <ul> 134 <li><code>setOperatorBrandOverride</code></li> 135 <li><code>setLine1NumberForDisplay</code></li> 136 <li><code>setVoiceMailNumber</code></li> 137 </ul></li> 138 139 <li>APIs for direct UICC communication: 140 <ul> 141 <li><code>iccOpenLogicalChannel</code></li> 142 <li><code>iccCloseLogicalChannel</code></li> 143 <li><code>iccExchangeSimIO</code></li> 144 <li><code>iccTransmitApduLogicalChannel</code></li> 145 <li><code>iccTransmitApduBasicChannel</code></li> 146 <li><code>sendEnvelopeWithStatus</code></li> 147 </ul></li> 148 149 <li>API to set device mode to global: 150 <code>setPreferredNetworkTypeToGlobal</code>.</li> 151 </ul> 152 153 <h3 id=smsmanager>SmsManager</h3> 154 155 <p>API to allow caller to create new incoming SMS messages: 156 <code>injectSmsPdu</code>.</p> 157 158 <h3 id=carrierconfigmanager>CarrierConfigManager</h3> 159 160 <p>API to notify configuration changed: 161 <code>notifyConfigChangedForSubId</code>. For instructions, see 162 <a href="/devices/tech/config/carrier.html">Carrier Configuration</a>. 163 </p> 164 165 <h3 id=carriermessagingservice>CarrierMessagingService</h3> 166 167 <p>Service that receives calls from the system when new SMS and MMS are sent 168 or received. To extend this class, declare the service in your manifest file 169 with the <code>android.Manifest.permission#BIND_CARRIER_MESSAGING_SERVICE</code> 170 permission and include an intent filter with the <code>#SERVICE_INTERFACE</code> 171 action. APIs include:</p> 172 <ul> 173 <li><code>onFilterSms</code></li> 174 <li><code>onSendTextSms</code></li> 175 <li><code>onSendDataSms</code></li> 176 <li><code>onSendMultipartTextSms</code></li> 177 <li><code>onSendMms</code></li> 178 <li><code>onDownloadMms</code></li> 179 </ul> 180 181 <h3 id=telephonyprovider>TelephonyProvider</h3> 182 183 <p>Content provider APIs to allow modifications (insert, delete, update, query) 184 to the telephony database. Values fields are defined at 185 <a href="https://developer.android.com/reference/android/provider/Telephony.Carriers.html"><code>Telephony.Carriers</code></a>; 186 for more details, refer to 187 <a href="https://developer.android.com/reference/android/provider/Telephony.html">Telephony</a> 188 API reference on developer.android.com.</p> 189 190 <h2 id=android_platform>Android platform</h2> 191 192 <p>On a detected UICC, the platform will construct internal UICC objects that 193 include carrier privilege rules as part of the UICC. 194 <a href="https://android.googlesource.com/platform/frameworks/opt/telephony/+/master/src/java/com/android/internal/telephony/uicc/UiccCarrierPrivilegeRules.java"><code>UiccCarrierPrivilegeRules.java</code></a> 195 loads rules, parses them from the UICC card, and caches them in memory. When 196 a privilege check is needed, <code>UiccCarrierPrivilegeRules</code> compares the 197 caller certificate with its own rules one by one. If the UICC is removed, rules 198 are destroyed along with the UICC object.</p> 199 200 <h2 id=validation>Validation</h2> 201 <p>The Android 7.0 CTS includes tests for carrier APIs in 202 <code>CtsCarrierApiTestCases.apk</code>. Because this feature depends on 203 certificates on the UICC, you must prepare the UICC to pass these tests.</p> 204 205 <h3 id=prepare_uicc>Preparing the UICC</h3> 206 <p>By default, <code>CtsCarrierApiTestCases.apk</code> is signed by Android 207 developer key, with hash value 208 <code>61:ED:37:7E:85:D3:86:A8:DF:EE:6B:86:4B:D8:5B:0B:FA:A5:AF:81</code>. The 209 tests also print out the expected certificate hash if certificates on UICC 210 mismatch.</p> 211 <p>Example output:</p> 212 <pre class="devsite-click-to-copy"> 213 junit.framework.AssertionFailedError: This test requires a SIM card with carrier privilege rule on it. 214 Cert hash: 61ed377e85d386a8dfee6b864bd85b0bfaa5af81 215 </pre> 216 217 <p>In order to validate the implementation via CTS using 218 <code>CtsCarrierApiTestCases.apk</code>, you must have a developer UICC with 219 the correct UICC rules or ARF support. You may ask the SIM card vendor 220 of your choice to prepare a developer UICC with the right ARF as described in 221 this section and use that UICC to run the tests. The UICC does not require 222 active cellular service to pass CTS tests.</p> 223 224 <h3 id=run_tests>Running tests</h3> 225 <p>For convenience, the Android 7.0 CTS supports a device token that restricts 226 tests to run only on devices configured with same token. Carrier API CTS tests 227 support the device token <code>sim-card-with-certs</code>. For example, the 228 following device token restricts carrier API tests to run only on device 229 <code>abcd1234</code>:</p> 230 <pre class="devsite-terminal devsite-click-to-copy"> 231 cts-tradefed run cts --device-token abcd1234:sim-card-with-certs 232 </pre> 233 234 <p>When running a test without using a device token, the test runs on all 235 devices.</p> 236 237 <h2 id=faq>FAQ</h2> 238 239 <p><strong>How can certificates be updated on the UICC?</strong></p> 240 241 <p><em>A: Use existing card OTA update mechanism.</em></p> 242 243 <p><strong>Can it co-exist with other rules?</strong></p> 244 245 <p><em>A: Its fine to have other security rules on the UICC under same AID; the 246 platform will filter them out automatically.</em></p> 247 248 <p><strong>What happens when the UICC is removed for an app that relies on the 249 certificates on it?</strong></p> 250 251 <p><em>A: The app will lose its privileges because the rules associated with the 252 UICC are destroyed on UICC removal.</em></p> 253 254 <p><strong>Is there a limit on the number of certificates on the UICC?</strong> 255 </p> 256 257 <p><em>A: The platform doesnt limit the number of certificates; but because the 258 check is linear, too many rules may incur a latency for check.</em></p> 259 260 <p><strong>Is there a limit to number of APIs we can support via this method? 261 </strong></p> 262 263 <p><em>A: No, but we limit the scope of APIs to carrier related.</em></p> 264 265 <p><strong>Are there some APIs prohibited from using this method? If so, how do 266 you enforce them? (i.e. Will you have tests to validate which APIs are supported 267 via this method?)</strong></p> 268 269 <p><em>A: See the "API Behavioral Compatibility" section of the 270 <a href="/compatibility/cdd.html">Android Compatibility Definition 271 Document (CDD)</a>. We have some CTS tests to make sure the permission model of 272 the APIs is not changed.</em></p> 273 274 <p><strong>How does this work with the multi-SIM feature?</strong></p> 275 276 <p><em>A: The default SIM that gets set by the user will be used.</em></p> 277 278 <p><strong>Does this in any way interact or overlap with other SE access 279 technologies, e.g. SEEK?</strong></p> 280 <p><em>A: As an example, SEEK uses the same AID as on the UICC. So the rules 281 co-exist and are filtered by either SEEK or UiccCarrierPrivileges.</em></p> 282 283 <p><strong>When is it a good time to check carrier privileges?</strong></p> 284 <p><em>A: After the SIM state loaded broadcast.</em></p> 285 286 <p><strong>Can OEMs disable part of carrier APIs?</strong></p> 287 288 <p><em>A: No. We believe current APIs are the minimal set, and we plan to use 289 the bit mask for finer granularity control in the future.</em></p> 290 291 <p><strong>Does setOperatorBrandOverride override ALL other forms of operator 292 name strings? For example, SE13, UICC SPN, network based NITZ, etc.?</strong> 293 </p> 294 295 <p><em>A: Refer to the SPN entry in 296 <a href="http://developer.android.com/reference/android/telephony/TelephonyManager.html">TelephonyManager</a> 297 </em></p> 298 299 <p><strong>What does the injectSmsPdu method call do?</strong></p> 300 301 <p><em>A: This facilitates SMS backup/restore in the cloud. The injectSmsPdu 302 call enables the restore function.</em></p> 303 304 <p><strong>For SMS filtering, is the onFilterSms call based on SMS UDH port 305 filtering? Or would carrier apps have access to ALL incoming SMS?</strong></p> 306 307 <p><em>A: Carriers have access to all SMS data.</em></p> 308 309 <p><strong>Since the extension of DeviceAppID-REF-DO to support 32 bytes appears 310 incompatible with the current GP spec (which allows 0 or 20 bytes only) why are 311 you introducing this change? Do you not consider SHA-1 to be good enough to 312 avoid collisions? Have you proposed this change to GP already, as this could 313 be backwards incompatible with existing ARA-M/ARF?</strong></p> 314 315 <p><em>A: For providing future-proof security this extension introduces SHA-256 316 for DeviceAppID-REF-DO in addition to SHA-1 which is currently the only option 317 in the GP SEAC standard. It is highly recommended to use SHA-256.</em></p> 318 319 <p><strong>If DeviceAppID is 0 (empty), would you really apply the rule to all 320 device applications not covered by a specific rule?</strong></p> 321 322 <p><em>A: Carrier apis require deviceappid-ref-do be non-empty. Being empty is 323 intended for test purpose and is not recommended for operational deployments. 324 </em></p> 325 326 <p><strong>According to your spec, PKG-REF-DO used just by itself, without 327 DeviceAppID-REF-DO, should not be accepted. But it is still described in Table 328 6-4 as extending the definition of REF-DO. Is this on purpose? What will be the 329 behavior of the code when only a PKG-REF-DO is used in a REF-DO?</strong></p> 330 331 <p><em>A: The option of having PKG-REF-DO as a single value item in REF-DO was 332 removed in the latest version. PKG-REF-DO should only occur in combination with 333 DeviceAppID-REF-DO.</em></p> 334 335 <p><strong>We assume we can grant access to all carrier-based permissions or 336 have a finer-grained control. What will define the mapping between the bit mask 337 and the actual permissions then? One permission per class? One permission per 338 method specifically? Will 64 separate permissions be enough in the long run? 339 </strong></p> 340 341 <p><em>A: This is reserved for the future, and we welcome suggestions.</em></p> 342 343 <p><strong>Can you further define the DeviceAppID for Android specifically? 344 Since this is the SHA-1 (20 bytes) hash value of the Publisher certificate used 345 to signed the given app, shouldn't the name reflect that purpose? (The name 346 could be confusing to many readers as the rule will be applicable then to all 347 apps signed with that same Publisher certificate.)</strong></p> 348 349 <p><em>A: The deviceAppID storing certificates is already supported by the 350 existing spec. We tried to minimize spec changes to lower barrier for adoption. 351 For details, see <a href="#rules_on_uicc">Rules on UICC</a>.</em></p> 352 353 </body> 354 </html> 355
